yshavit · yshavit · Mar 22, 2026 · Mar 22, 2026
diff --git a/.github/workflows/binary-verify.yml b/.github/workflows/binary-verify.yml
@@ -35,6 +35,7 @@ jobs:
   dispatch-targets:
     needs: list-targets
     runs-on: ubuntu-latest
+    permissions: { }
     outputs:
       windows: ${{ steps.run.outputs.windows }}
       non-windows: ${{ steps.run.outputs.non-windows }}
@@ -139,6 +140,7 @@ jobs:
 
   docker:
     runs-on: ubuntu-latest
+    permissions: { }
     steps:
       - name: Calculate tag
         id: tag

diff --git a/.github/workflows/build-release.yml b/.github/workflows/build-release.yml
@@ -28,10 +28,7 @@ on:
 env:
   CARGO_TERM_COLOR: always
 
-# for attestations
 permissions:
-  id-token: write
-  attestations: write
   contents: read
 
 jobs:
@@ -86,6 +83,10 @@ jobs:
 
   build:
     needs: build-targets
+    permissions:
+      contents: read
+      id-token: write
+      attestations: write
     strategy:
       matrix:
         target: ${{ fromJSON(needs.build-targets.outputs.names) }}

diff --git a/.github/workflows/coverage.yml b/.github/workflows/coverage.yml
@@ -4,6 +4,9 @@ on:
   push:
     branches: [ "main" ]
 
+permissions:
+  contents: read
+
 jobs:
   coverage:
     runs-on: ubuntu-latest

diff --git a/.github/workflows/formatting.yml b/.github/workflows/formatting.yml
@@ -5,6 +5,9 @@ on:
   pull_request:
     branches: [ "main", "feature/*" ]
 
+permissions:
+  contents: read
+
 jobs:
   newlines:
     runs-on: ubuntu-latest

diff --git a/.github/workflows/list-targets.yml b/.github/workflows/list-targets.yml
@@ -16,6 +16,8 @@ on:
         value: ${{ jobs.list-targets.outputs.rust_target_by_target }}
 
 
+permissions: { }
+
 jobs:
   list-targets:
     runs-on: ubuntu-latest

diff --git a/.github/workflows/pr-checks.yml b/.github/workflows/pr-checks.yml
@@ -4,6 +4,9 @@ on:
   pull_request:
     branches: [ "main", "feature/*" ]
 
+permissions:
+  contents: read
+
 jobs:
   semver:
     permissions:
@@ -57,7 +60,7 @@ jobs:
   breaking-change-docs:
     needs: semver
     permissions:
-      contents: read
+      pull-requests: read
     runs-on: ubuntu-latest
     steps:
       - name: Fetch PR description
@@ -96,4 +99,4 @@ jobs:
           elif [[ "$has_label" == "false" && "$has_section" == "true" ]]; then
             echo "::error title=breaking-change-docs::PR has '# Breaking change' section in description but is missing 'breaking change' label."
             exit 1
-          fi
+          fi
diff --git a/.github/workflows/prepare-new-release.yml b/.github/workflows/prepare-new-release.yml
@@ -22,6 +22,9 @@ on:
         type: boolean
         default: true
 
+permissions:
+  contents: read
+
 jobs:
   create_draft:
     runs-on: ubuntu-latest
@@ -31,7 +34,6 @@ jobs:
       TAG_NAME: "v${{ github.event.inputs.version_to_release }}"
     permissions:
       contents: write
-      pull-requests: write
 
     steps:
 

diff --git a/.github/workflows/readme-checks.yml b/.github/workflows/readme-checks.yml
@@ -8,6 +8,9 @@ on:
 env:
   CARGO_TERM_COLOR: always
 
+permissions:
+  contents: read
+
 jobs:
   check-msrv:
     runs-on: ubuntu-latest

diff --git a/.github/workflows/release-assets.yml b/.github/workflows/release-assets.yml
@@ -22,10 +22,7 @@ on:
         type: string
         required: false
 
-# for attestations in build-release.yml
 permissions:
-  id-token: write
-  attestations: write
   contents: write # needed for viewing and uploading to the draft release
 
 jobs:
@@ -91,6 +88,10 @@ jobs:
 
   build:
     needs: validate
+    permissions:
+      contents: read
+      id-token: write
+      attestations: write
     uses: ./.github/workflows/build-release.yml
     secrets: inherit
     with:

diff --git a/.github/workflows/release-publish.yml b/.github/workflows/release-publish.yml
@@ -18,9 +18,14 @@ env:
   DOCKER_RC_TAG: "yshavit/mdq:${{ inputs.version }}-rc"
   DOCKER_PUBLISH_TAG: "yshavit/mdq:${{ inputs.version }}"
 
+permissions:
+  contents: read
+
 jobs:
   verify:
     runs-on: ubuntu-latest
+    permissions:
+      pull-requests: read
     env:
       GH_TOKEN: ${{ github.token }}
     outputs:
@@ -65,6 +70,7 @@ jobs:
     environment: Docker Hub
     needs: verify
     runs-on: ubuntu-latest
+    permissions: { }
     steps:
 
       - name: Log in to Docker Hub
@@ -172,4 +178,3 @@ jobs:
 
       - name: Publish
         run: cargo publish
-
diff --git a/.github/workflows/rust.yml b/.github/workflows/rust.yml
@@ -9,6 +9,9 @@ on:
 env:
   CARGO_TERM_COLOR: always
 
+permissions:
+  contents: read
+
 jobs:
   build:
     runs-on: ubuntu-latest

diff --git a/.github/workflows/system-test.yml b/.github/workflows/system-test.yml
@@ -6,6 +6,9 @@ on:
     branches: [ "main", "feature/*" ]
   workflow_dispatch: { }
 
+permissions:
+  contents: read
+
 jobs:
   toml-cases:
     runs-on: ubuntu-latest